System and method for securing drive access to data storage media based on medium identifiers

ABSTRACT

A method for securing access to a data medium comprises listing at least one unique identifier of media that a data transfer element is allowed to access in memory storage of the data transfer element, accessing only media having at least one of the listed unique identifiers in media cartridge memory with the data transfer element, and writing a unique identifier associated with the data transfer element to the cartridge memory of the selected medium with the data transfer element in response to no library assigned unique identifier being present in the cartridge memory of the selected medium.

RELATED APPLICATIONS

The present invention is related to the following copending and commonlyassigned U.S. patent applications: Ser. No. [30014510-1] entitled Systemand Method for Partitioning a Storage Area Network Associated DataLibrary, filed Dec. 28, 2001; Ser. No. [30014511-1] entitled System andMethod for Partitioning a Storage Area Network Associated Data LibraryEmploying Element Addresses, filed Dec. 28, 2001; Ser. No. [30014512-1]entitled System and Method for Managing Access To Multiple Devices in aPartitioned Data Library, filed Dec. 28, 2001; Ser. No. [30014513-1]entitled System and Method for Peripheral Device Virtual FunctionalityOverlay, filed Dec. 28, 2001; Ser. No. [30014514-1] entitled System andMethod for Securing Drive Access to Media Based On Medium IdentificationNumbers, filed Dec. 28, 2001; Ser. No. [30014516-1] entitled System andMethod for Securing Fiber Channel Drive Access in a Partitioned DataLibrary, filed Dec. 28, 2001; Ser. No. [30014517-1] entitled Method forUsing Partitioning to Provide Capacity on Demand in Data Libraries,filed Dec. 28, 2001; Ser. No. [30014518-1] entitled System and Methodfor Intermediating Communication with a Moveable Media Library Utilizinga Plurality of Partitions, filed Dec. 28, 2001; and Ser. No.[30008195-1], entitled System and Method for Managing a Moveable MediaLibrary with Library Partitions, filed Dec. 28, 2001; the disclosures ofwhich are hereby incorporated herein by reference.

TECHNICAL FIELD

The present invention generally relates to data storage and specificallyto systems and methods for securing drive access to media based onmedium identifiers.

BACKGROUND

One of the most attractive aspects of a storage area network (SAN) isthat network connectivity enables a company to efficiently use storageby sharing storage capacity among a number of servers. This may beimplemented using a large number of small capacity storage devices.However, unless sufficiently robust management software is employed,such use of small capacity devices in a SAN may result in significantmanagement overhead. Most users prefer to install large capacity storagedevices and partition the device(s), assigning each partition to adifferent server. For example, existing firmware for enterprise leveldisk arrays allow users to define multiple redundant arrays ofindependent disks (RAID), where each RAID set appears as a differentlogical unit number (LUN). Each one of these LUNs may be dedicated to adifferent server.

In certain SAN usage scenarios, such as may arise for storage serviceproviders (SSPs), there are multiple customers attempting to sharecommon SAN resources. In such cases, there is a need to ensure thatcustomers can only see and access the storage resources they have beenallocated and prevent them from accessing storage of other customers.For example, if a customer stores their critical business data with aSSP, then they generally do not want other customers of the SSP readingtheir data or even being aware that the customer has information storedwith the SSP. To isolate user data in a data library the library may bepartitioned. However, special hardware or special backup software asdescribed below has been used to implement partitioning.

Existing software-based data library partitioning solutions typicallyemploy a host system that restricts access to portions of a tapelibrary. The host restrictions are implemented by a mediating (software)process on a host system to enforce partition restrictions. However,this approach is problematic. Specifically, the approach is undesirableif the data library is utilized in a SSP environment. In SSPenvironments, the data library and the host systems belong to differententities (e.g., the SSP and the customers). Placement of softwaremediating processes on host systems is unattractive, because itincreases the burden on the customers to make use of the storageservice. Moreover, many customers are unwilling to allow other partiesto place software on their host systems. Additionally, the softwaremediating process approach is typically incompatible with existing databack-up utilities, i.e., the software mediating process approachrequires the use of specialized data back-up applications. Hence, usersare effectively denied the ability to run desired backup software.

An additional problem may arise in that a library operator mayaccidentally place a medium in an incorrect storage slot within apartitioned data library or in an entirely incorrect data library withinan SSP's facility. This may allow this misplaced medium to be read by anSSP customer or user other than the owner of the information on themisplaced medium.

The use of memory in a tape cartridge, generally referred to ascartridge memory (CM), is known in the art. Existing cartridges anddrives store information in the CM such as how many times a tape hasbeen loaded, a cassette serial number, what was last written on thetape, what block was last written to on the tape and/or the tape errorrate. Conventionally this information facilitates setting up the tapewhen it is inserted back into a drive. For example, each time a tapecartridge with CM is inserted into a drive the CM is read duringinitialization of the drive. During the drive initialization sequence,the drive reads the memory, diagnoses the tape, recognizes the tapeformat and where writing should begin. Additionally, information in thememory about error rate and/or number of loads can help diagnose failingtapes. Such CM may also be referred to as memory in cartridge (MIC).

SUMMARY OF THE INVENTION

A method for securing access to a data medium comprises listing at leastone unique identifier of media that a data transfer element is allowedto access in memory storage of the data transfer element, accessing onlymedia having at least one of the listed unique identifiers in mediacartridge memory with the data transfer element, and writing a uniqueidentifier associated with the data transfer element to the cartridgememory of the selected medium with the data transfer element in responseto no library assigned unique identifier being present in the cartridgememory of the selected medium.

A method embodiment for securing access to data media in a particularpartition of a partitioned data library comprises listing at least oneunique identifier of media that data transfer elements in the partitionare allowed to access in memory storage of the data transfer elements inthe partition, reading a unique identifier from cartridge memory of aselected medium with a data transfer element receiving the selectedmedium, checking the memory storage of the data transfer elementreceiving the selected medium for the unique identifier of the selectedmedium, and accessing the selected medium in response to the uniqueidentifier of the selected medium being present in the memory storage ofthe data transfer element receiving the selected medium.

An embodiment of a partitioned data library in accordance with apreferred embodiment of the present invention comprises data storagemedia, each medium of the media having cartridge memory, a plurality ofstorage element slots, each of the slots adapted to store one medium ofthe data storage media, at least one set of at least one of the slotsassigned to one partition of a plurality of library partitions, aplurality of data transfer elements that are adapted to receive themedia, read the medium cartridge memory and transfer data to and fromthe media, each of at least one set of at least one of the data transferelements assigned to one of the library partitions, and wherein thecartridge memory of a selected medium is read by one of the datatransfer elements receiving the selected medium and access to the mediaby the data transfer elements is restricted to selected media having atleast one particular unique identifier stored in the medium cartridgememory.

BRIEF DESCRIPTION OF THE DRAWING

FIG. 1 is a diagrammatic illustration of a SAN operating consistent withthe teachings of the present invention;

FIG. 2 is a diagrammatic illustration of an example of a data libraryemploying a preferred embodiment of the present invention;

FIG. 3 is a flow chart of operation of a preferred method according to apreferred embodiment; and

FIG. 4 is a flow chart of a preferred embodiment of an importationmethod of a medium in accordance with an embodiment of the presentinvention.

DETAILED DESCRIPTION

The present invention is directed to systems and methods that providemedium access security based on a unique identifier written to a mediumcartridge memory (CM). Preferably, the unique identifier is written toCM by a drive and is read by a drive. The present system and methodmoves ultimate responsibility for limiting access to certain media in apartitioned data library to the drives, providing a failsafe for alibrary partitioning system.

Turning to FIG. 1, SAN 100 is shown. By way of example, first and secondcustomer servers 101 and 102 are connected to SAN 100 via FC switch 103.RAID 104 may be partitioned, assigning first partition 105 to server 101and second partition 106 to server 102 using existing LUN-based RAIDpartitioning methods. Zero downtime backups (ZDBs) may be performed ofthe data each server has on the RAID to data library 108, via ZDBinterconnectivity 107 between RAID 104 and data library 108. Such ZDBspreferably employ data-mover firmware embodied in RAID 104 or otherelements of SAN 100. ZDBs are preferably carried out without impingingon the processor operations or LAN capacity of servers 101 and 102. Datalibrary 108 may be partitioned in such a manner as to insure that datafor server 101 is maintained in partition 109 separate from data forserver 102, and that the data of server 102 is maintained in partition110 separate from data for server 101. Such partitioning facilitatesrestricting access such that the servers may not access each other'sdata even though both servers' data is maintained in the same physicallibrary.

A SAN attached data library may be logically partitioned into manysmaller libraries without the use of special hardware or software. Eachof the drives in the library may be designated for use by a differenthost system that has free access to the library robotics controller aswell as to the designated drives. Such a system and method is disclosedin copending U.S. patent application Ser. No. [30014510-1], “System andMethod For Partitioning a Storage Area Network Associated Data Library.”A set of drives and medium storage slots of the library are assigned toeach partition. The movement of media is restricted to and from slotsand drives within a partition. The drives in the library are preferablyassigned a limited range of media that each drive may access forread/write functions.

Data tape library 200 employing a preferred embodiment of the presentsystem and method is illustrated in FIG. 2 as an example of a librarythat may be employed as library 108 of FIG. 1. However, other librarydesigns and/or capacities may embody the present system and method.Exemplar data tape library 200 has four CM-enabled drives or datatransfer elements 201-204; forty media storage element slots 205organized into four trays 206-209 of ten slots 205 each; two FC-to-SCSIbridges 210 and 211; a library management interface card or remotemanagement card (RMC) 212; and library controller 213. Drives 201-204,FC-to-SCSI bridges 210 and 211, RMC 212 and library controller 213preferably communicate with each other using an inter-integrated circuit(I²C) bus, illustrated here as automated control interface (ACI) 214, orthe like.

For partitions that may employ the present system and method, library,drives 201-204 should be assigned to each partition. Drives 201-204 arepreferably enabled to read CM, thereby allowing a drive to read a uniqueidentifier residing in CM of a medium disposed in the drive.Additionally, media slots 205 may also be assigned to each partition tohouse the media assigned to the partition. A virtual library controllershould be addressable with respect to each partition to control movementof media between the slots and drives by library robotics 220. Theexample partitioning shown in FIG. 2 is indicated by boxes 215, 216 and217. As illustrated, LUNO corresponds to partition 215, LUN1 correspondsto partition 216 and LUN2 corresponds to partition 217. Finally,import/export elements or mailslots may be assigned to each partition orconfigured for use by the entire physical library. Preferably,easily-accessible media storage slots may be configured as mailslots bythe present invention.

CM-enabled tape drives 201 through 204 may be configured out-of-band,via ACI 214 so that the drives will write a specified, relativelyunique, identifier to tape CM the first time a tape is inserted into thedrive. This unique identifier in the CM preferably identifies the mediaas having been written to by a drive or the set of drives in a virtuallibrary partition. All drives in a partition may employ the same uniqueidentifier; in turn, the media in the partition would have the sameunique identifier residing in CM. The identifier may only be uniquewithin the library itself, such as to provide differentiation betweenmedia of partitions of the library. Thus, it should be appreciated thatthe unique identifier might not differentiate media between partitionsof different physical libraries. Preferably, the unique identifier isunique to a degree sufficient to differentiate media within a physicalentity, such as a SAN or within an SSP's resources and would provide anindication as to the physical library, partition and/or drive to which amedium belonged. Alternatively, a unique identifier may be universallyunique.

Preferably, no special initialization or inventory sequence is requiredto setup security employing the present system and method beyondconfiguring a drive to only accept media which have the aforementionedunique identifier(s) in their CM. This drive setup may be performed viaan RMC user interface. The RMC and/or controller may direct a drive toonly allow access to media having a particular identifier in CM. Thesedirections are preferably conveyed via ACI 214 and stored in nonvolatilerandom access memory (NVRAM) associated with the drive in the form of alist of unique media identifiers the drive is allowed to access.Preferably, media with no identifier present in CM may also be accepted,at which point an identifier associated with the receiving drive and/orthe drive's partition is preferably written to the CM of the medium.Thusly, a new medium introduced into a partition may be secured by thepresent inventive system and method.

Turning to FIG. 3, a preferred embodiment of the present method 300 maybe used to move responsibility for limiting access to certain media downto the drive and medium level. A medium may be loaded into a drive bythe library at box 301. At box 302 the CM enabled drive reads the CM ofthe medium and confirms, at 303, the presence of a unique identifier inthe CM. Preferably the unique identifier will identify the media ashaving been written to by that drive, or one of a set of drives in thatdrive's virtual library partition. If no library assigned uniqueidentifier is present at 303 then the drive may write its uniqueidentifier, which identifies the medium as belonging to the drive'spartition, to the CM of the medium at box 305; and the medium isaccessed at box 308. Preferably, if a medium has no identifier in CM themedium is blank, having never had data written to it. This insures thata medium can only be used in a particular partition from the time aunique identifier is written to the medium's CM, forward. If a uniqueidentifier is present at step 303 then the drive firmware checks to seewhether the unique identifier of the medium is present in the NVRAM ofthe drive at box 307. If at 307 the unique identifier is in the NVRAM,then the drive recognizes that medium as belonging to the same partitionas the drive, and allows the connected host system to have unhinderedread/write access to the medium at box 308. However, if the drive findsa unique identifier in the CM at 307 that identifies the medium asbelonging to another partition or that the drive does not recognize, thedrive will preferably immediately eject the medium at box 306 and thusdenying the accessing host access to the medium.

Turning to FIG. 4 method 400, in accordance with the present invention,is illustrated for replacing a unique identifier in a medium CM withanother, different, unique identifier. Such a unique identifier swap-outmay be desirable to facilitate movement of media from one physicallibrary to another, such as may take place in a library upgrade. In sucha swap-out, the partition the medium is placed in belongs to the samecustomer as the medium's original partition but the identifier in thenew library is different due to the new library having a different setof physical drives. Additionally, “used” tapes introduced into a librarywill preferably have any unique identifier residing in CM replaced, inaccordance with method 400. Method 400 is preferably preformed as partof an import procedure for the medium into the library and preformedout-of-band via the RMC and/or controller, with instructions to thedrive(s)being issued over the ACI. At box 401 a medium with a uniqueidentifier residing in CM is added to a library via an import/exportslot. Preferably using a RMC user interface or the front panel of thelibrary, the imported medium is moved, at box 402, from theimport/export slot to a storage element slot in a library partition. Inthe case of a swap-out, the partition would preferably be one securedfor use by a same customer as a partition from which the medium wasexported in another library. Then, at box 403, the robotics of thelibrary are directed, via the front panel or RMC interface, to place themedium in a drive of the partition. The old unique identifier in CM isoverwritten at box 405 by the new drive with a unique identifierassociated with the drive and/or the partition. Preferably at box 404,positive confirmation via the front panel or RMC interface is requiredto overwrite the unique identifier to insure partition integrity. Ifthis positive confirmation is not provided at box 404 the medium ispreferably ejected at box 406. Method 400 is preferably carried outmanually, as a automatic process would allow one to defeat partitionsecurity.

Preferably, the drive firmware enforces access control, and preferablythe firmware or NVRAM contents cannot be changed by the end user. Soeven if the user has unrestricted access to both the drives and libraryrobotics at the command level, the user cannot defeat the accesscontrols. Specifically, the identifier checking mode of a drivepreferably may not be altered in band, such as by a SCSI command. Suchan alteration is preferably only allowed to be carried out out-of-band,over the ACI. This out-of band alteration preferably may only be madeover a LAN connected to the RMC, which in turn communicates over on anI²C to the library controller or via the library front panel. Asindicated above, the controller communicates with the drives over anACI. This isolation of control and security facilitates use ofconventional, unmodified backup application software by a user ratherthan a software dictated by a SSP.

1. A method for securing access to a data medium comprising: listing atleast one unique identifier of media that a data transfer element isallowed to access in memory storage of said data transfer element;accessing only media having at least one of said listed uniqueidentifiers in media cartridge memory with said data transfer element;and writing a unique identifier associated with said data transferelement to said cartridge memory of said selected medium with said datatransfer element in response to no library assigned unique identifierbeing present in said cartridge memory of said selected medium.
 2. Themethod of claim 1 further comprising: reading a unique identifier fromcartridge memory of a selected medium with said data transfer element;and checking said memory storage of said data transfer element for saidunique identifier from said selected medium cartridge memory.
 3. Themethod of claim 1 further comprising: detecting presence of said uniqueidentifiers in said cartridge memory of a selected medium.
 4. The methodof claim 1 wherein said writing step further comprises: accessing saidselected medium.
 5. The method of claim 1 wherein said accessing stepfurther comprises: ejecting a selected medium in response to absence ofsaid unique identifier of said selected medium in said memory storage ofsaid data transfer element.
 6. The method of claim 1 wherein said datatransfer element and said media that said data transfer element isallowed to access are part of a data library partition.
 7. The method ofclaim 1 further comprising: overwriting an existing unique identifier incartridge memory of a selected media with one of said listed uniqueidentifiers associated with said data transfer element.
 8. The method ofclaim 1 wherein at least one of said media are selected from a group ofmedia consisting of: media previously assigned a unique identifier, newblank media, media erroneously placed in said data transfer element, andimported media.
 9. A method for securing access to data media in aparticular partition of a partitioned data library, said methodcomprising: listing at least one unique identifier of media that datatransfer elements in said partition are allowed to access in memorystorage of said data transfer elements in said partition; reading aunique identifier from cartridge memory of a selected medium with a datatransfer element receiving said selected medium; checking said memorystorage of said data transfer element receiving said selected medium forsaid unique identifier of said selected medium; and accessing saidselected medium in response to said unique identifier of said selectedmedium being present in said memory storage of said data transferelement receiving said selected medium.
 10. The method of claim 9further comprising: ejecting said selected medium in response to anabsence of said unique identifier of said selected medium in said memorystorage of said data transfer element receiving said selected medium.11. The method of claim 9 further comprising writing a unique identifierassociated with said partition to said cartridge memory of said selectedmedia, in response to no library assigned unique identifier beingpresent in said cartridge memory of said selected medium.
 12. The methodof claim 11 wherein said writing step further comprises: accessing saidselected medium.
 13. The method of claim 11 further comprising:overwriting an existing unique identifier in cartridge memory of saidselected media with one of said listed unique identifiers associatedwith said partition.
 14. The method of claim 9 wherein said reading stepfurther comprises detecting presence of any unique identifiers in saidcartridge memory of said selected medium.
 15. The method of claim 9wherein at least one of said media are selected from a group of mediaconsisting of: media previously assigned a unique identifier, new blankmedia, media erroneously placed in said particular partition, mediaimported into said library, and media imported into said particularpartition.
 16. A partitioned data library comprising: data storagemedia, each medium of said media having cartridge memory; a plurality ofstorage element slots, each of said slots adapted to store one medium ofsaid data storage media, at least one set of at least one of said slotsassigned to one partition of a plurality of library partitions; and aplurality of data transfer elements that are adapted to receive saidmedia, read said medium cartridge memory and transfer data to and fromsaid media, each of at least one set of at least one of said datatransfer elements assigned to one of said library partitions, whereinsaid cartridge memory of a selected medium is read by one of said datatransfer elements receiving said selected medium and access to saidmedia by said data transfer elements is restricted to selected mediahaving at least one particular unique identifier stored in said mediumcartridge memory.
 17. The library of claim 16 further comprising: alibrary controller directing movement of said media to and from one ofsaid set of slots to and from one of said sets of data transfer elementsassigned to a same of said partitions.
 18. The library of claim 16wherein each of said data transfer elements comprise memory storagestoring a list of at least one unique media identifiers that datatransfer elements in a particular data transfer element's partition areallowed to access.
 19. The library of claim 16 wherein a selected mediumis ejected from a data transfer element receiving said selected mediumin response to said unique identifier in cartridge memory of saidselected medium not being one of said at least one particular uniqueidentifier.
 20. The library of claim 16 wherein a data transfer elementreceiving a selected medium without a unique identifier in mediumcartridge memory writes a unique identifier associated with a partitionof said data transfer element receiving said selected medium tocartridge memory of said selected medium.
 21. The method of claim 16wherein at least one of said media are selected from a group of mediaconsisting of: media previously assigned a unique identifier, new blankmedia, media erroneously placed in a partition, media imported into saidlibrary, and media imported into a partition.